The Security firm IOActive has found a number of serious security holes in home automation products from Belkin that allow remote attackers to virtually vandalise connected homes and break into computers connected on a home network.
IOActive researcher Mike Davis said that his research into Belkin’s WeMo technology found the “devices expose users to several potentially costly threats, from home fires with possible tragic consequences down to the simple waste of electricity”.
He said that efforts to contact Belkin regarding the software vulnerabilities were unsuccessful.
Belkin WeMo is a line of home automation products including wi-fi enabled light switches and plugs that allow homeowners to control a wide range of “dumb” devices like lamps and kitchen appliances from the Internet using their computer or mobile device.
Belkin’s firmware for the WeMo are signed with public key encryption to protect against unauthorised modifications. However, the signing key and password are leaked on the firmware that is already installed on devices, Davis writes.
This means that an attacker with physical or logical access to a WeMo device could copy the signing key and password and then use it to sign a malicious software update to run on the device. The valid signature would allow the firmware to bypass security checks during the firmware update process, Davis said.
It is not the only problem. WeMo devices don’t validate Secure Socket Layer (SSL) certificates used with inbound communications from Belkin’s cloud service. That could allow an attacker to impersonate Belkin’s legitimate cloud service using any valid SSL certificate and push a dodgy firmware update or malicious RSS feed to WeMo devices.
Belkin also made a shortcut for WeMo devices by ‘abusing’ a protocol originally designed for use with Voice over Internet Protocol (VoIP) services.
If you have knowledge of the protocol and a ‘secret number’ uniquely identifying the device, an attacker could connect to and control any WeMo device over the proprietary network.
Belkin, Davis says, has “compromised all WeMo devices security by creating a virtual WeMo darknet where all WeMo devices can be connected to directly”.
Writing on IOActive’s bog Davis’s workmate, Cesar Cerrudo said that Internet of Things products such as the WeMo commonly suffer from the exact same kind of software vulnerabilities that have plagued laptop and desktop computers for the last decade.
They include sending sensitive data sent over insecure channels, poor implementation of encryption technology, reliance on hard coded administrator credentials (or ‘back doors’) and storage of sensitive data in clear text.